Blind Injection

For blind SQL injection attacks, you should take into consideration the following built-in functions:

String Length

LENGTH(str)

Extract a substring from a given string

SUBSTR(str,index,offset)

String representation with no single quotes

CHR(104)||CHR(101)||CHR(108)||CHR(108)||CHR(111)

Starting at version 8.2, PostgreSQL introduced a built-in function, pg_sleep(n), to make the current
session process sleep for n seconds. This function can be leveraged to execute timing attacks (discussed in detail at Blind SQL Injection).
In addition, you can easily create a custom pg_sleep(n) in previous versions by using libc:

plpython

PL/Python allows users to code PostgreSQL functions in python. It's untrusted so there is no way to restrict
what user can do. It's not installed by default and can be enabled on a given database by CREATELANG

plperl

Plperl allows us to code PostgreSQL functions in perl. Normally, it is installed as a trusted language in order to disable runtime execution of operations that interact with the underlying operating system, such as open. By doing so, it's impossible to gain OS-level access. To successfully inject a proxyshell like function, we need to install the untrusted version from the postgres user, to avoid the so-called application mask filtering of trusted/untrusted operations.

Check if PL/perl-untrusted has been enabled:

SELECT count(*) FROM pg_language WHERE lanname='plperlu'

If not, assuming that sysadm has already installed the plperl package, try :